.github/workflows/cve-report.yml

name: cve-report

on:
  schedule:
    - cron: '0 17 * * *'
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
  cancel-in-progress: true

jobs:
  report:
    name: Report
    runs-on: ubuntu-24.04
    steps:
    - uses: actions/checkout@v4

    - name: Set up Go
      uses: actions/setup-go@v4
      with:
        go-version: '1.23'

    - name: Prepare git
      env:
        GITHUB_USER: 1gtm
        GITHUB_TOKEN: ${{ secrets.LGTM_GITHUB_TOKEN }}
      run: |
        set -x
        git config --global user.name "1gtm"
        git config --global user.email "1gtm@appscode.com"
        git config --global \
          url."https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com".insteadOf \
          "https://github.com"
        # git remote set-url origin https://${GITHUB_USER}:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git

    - name: Install trivy
      run: |
        # wget https://github.com/aquasecurity/trivy/releases/download/v0.18.3/trivy_0.18.3_Linux-64bit.deb
        # sudo dpkg -i trivy_0.18.3_Linux-64bit.deb
        sudo apt-get install -y --no-install-recommends wget apt-transport-https gnupg lsb-release
        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
        echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
        sudo apt-get update
        sudo apt-get install -y --no-install-recommends trivy

    - name: Install image packer
      run: |
        cd /tmp
        curl -fsSL -O https://github.com/kmodules/image-packer/releases/latest/download/image-packer-linux-amd64.tar.gz
        tar -xvf image-packer-linux-amd64.tar.gz
        chmod +x image-packer-linux-amd64
        sudo mv image-packer-linux-amd64 /usr/local/bin/image-packer

    - name: Generate report
      run: |
        image-packer generate-cve-report \
          --output-dir=catalog \
          --src=catalog/imagelist.yaml
        git add catalog/README.md || true
        git commit -s -a -m "Update cve report $(date --rfc-3339=date)"

    - name: Create Pull Request
      uses: peter-evans/create-pull-request@v6
      with:
        token: ${{ secrets.LGTM_GITHUB_TOKEN }}
        title: Update cve report
        branch: update-cve-report
        delete-branch: true
        add-paths: |
          catalog/README.md
        labels: |
          automerge